5.1 fixed this bug:
- fix Quick mode installing 0.0.0.0/0 when no MSG_CONFIG exchange
[Andrew, Tuomo]
It was exposed in 5.0 (kernel policy was set to 0.0.0.0/0) but 4.x was
also broken (it installed the peer's host address).
I suspect this is a similar problem.
> left=82.100.127.28
> right=%any
> leftsubnet=0.0.0.0/0
> rightaddresspool=192.168.20.100-192.168.20.254
Here's the start of quick mode.
> Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: the peer
> proposed: 192.168.20.0/24===192.168.20.2/32
> Oct 17 10:16:02 sol1 pluto[882496]: | checking hostpair 0.0.0.0/0 ->
> 192.168.20.2/32
It's looking for a host-pair matching 0.0.0.0/0 -> 192.168.20.2/32.
That's wrong - 192.168.20.2/32 is not the peer's host address. Yet,
somehow, it stumbled on:
> Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: responding
> to Quick Mode proposal {msgid:ba263d12}
> Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: us:
> 0.0.0.0/0===82.100.127.28[@xauth.mad,MS+XS+S=C] them:
> 6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
However, in 5.1:
> Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer
> proposed: 192.168.20.0/24===192.168.20.2/32
> Oct 17 10:15:01 sol1 pluto[855951]: | checking hostpair 0.0.0.0/0 ->
> 192.168.20.2/32
> Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
that failed.
I'd file a bug.
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
